If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Enjoy an ad free experience by logging in. Not a member yet? Register.

That is one line of PHP containing an SQL statement. To the experienced eye its defective but to a lot of new PHP programmers this looks fine.

First there seems to be some confusion about the quotation marks so I will go into those here.

Single ' quotes are handled by PHP literally. That means what you see inside the ' marks is exactly what you get. Example:

PHP Code:

$Author = 'Joe Bloggs';

print 'Comment written by $Author';

The above will print like this:

Comment written by $Author

This is because the single quotes tell PHP that it should be handled exactly as it is without changing anything.

Double " quotes are where our magic happens. Double quotes tell PHP to examine the string inside it and if there are any variables found, replace them with their values. There is however a trade-off: PHP checks double quoted strings for variables it needs to replace - this uses more CPU cycles. Example:

Simple right? I'm glad you agree but read on because many people still get confused especially when trying to use them within the string.

When you need to use the single ' or double " inside a single quoted string you need to tell PHP to ignore it. The way this is done is to escape the quote within the string. To escape a character we use the \ slash. Example:

PHP Code:

//Single quote exampleprint 'This comment is from Joe Bloggs\'s blog.';//Note the use of \'

This comment is from Joe Bloggs's blog.
Joe Bloggs said "This is my comment."

Ok, so you've see how to escape quotes to use them within their own type of quotes but what happens if we want to use the the opposite quote in our string? Well with single quotes anything you use there is handled literally so using a double quote inside a single quoted string will produce exactly that - a double quote. Inside a double quoted string a single quote can also be used with no escaping required.

Now what about using the \ within a string?
In single quoted strings you don't need to worry. Sometimes in double quoted strings you may need to escape it.

So, whats wrong with that then?
If you look at the SQL after the word VALUES it becomes clear that there is some complex quoting going on:

Code:

//We're already inside double quotes at the beginning and end of the SQL.
"' .$author. '", "'. $message. '"

As you can see, PHP see's double quotes there and does not know if you're terminating the string or trying to add something. Then we have a single quote, plus the addition of a variable before trying to add on another string containing another double quote.. before trying it all again!

Now I'll quickly mention arrays here as there also seems to be a little confusion with those. There is no need to ever use double quotes UNLESS your Key is text with a variable (EG: "Key$I" - Where $I is a number):

PHP Code:

//Not needed - It will work but it will waste CPU cycles checking the Key for a variable:$Array["Comment"] = 'This is a test.';

//Better way using less CPU cycles:$Array['Comment'] = 'This is a test';

//With variables:$Key = 'Comment';

//Not great but it works:$Array["$Key"] = 'This is a test.';

//Better:$Array[$Key] = 'This is a test.';

All of the above will work but you don't always need the double quotes.

There may also be times when you wish to use functions or PHP commands in conjunction with your quoted text. The general thing you must realise is that a string (thats quoted text) is just a string of text. It is seen by PHP as just that - text. PHP will check double quoted strings for variables and replace them but it will not run PHP commands or functions inside a string. You should realise that single quoted strings will not to anything magical so the following example uses double quoted strings. Example:

Double quotes tell PHP to examine the string inside it and if there are any variables found, replace them with their values. There is however a trade-off: PHP checks double quoted strings for variables it needs to replace - this uses more CPU cycles.

regarding the execution time, there is no indication that this would matter at all. (ref.)

The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.

I find the easiest and quickest way to check what the actual query about to be run is, is to echo it to the browser and syntax errors should then be fairly obvious.

For more complex queries a good practice imo is to first get the query working in the SQL GUI of your choice and then transfer the query to your server side script.

I agree I frequently test SQL through phpmyadmin to see if it will work as expected and I always use mysql_error() where appropriate too.

It was rather late at night when I created this tip for the noobs so it's not perfect and the SQL was taken from another topic here as it looked like a good example to demonstrate with. Obviously in hindsight I may have got that wrong but hey ho I tried!

No, no, you got it right, it was a bit daft of me in hindsight to use SQL as an example but I found it in another topic and it looked perfect for a tip topic! In hindsight SQL, strings and quotes are entirely different but there we go, thats the kind of silly things i do at 1am!

When I first started learning php I never had access to a reliable connection so I had to learn a lot the hard way using localhost and a local copy of the php manual. I had to figure out a lot of stuff myself with no-one to ask (you know, the silly things that take hours to figure out like the IE bug in my sig) so I figured these tip topics could be pretty useful in helping others and answering those little silly things that aren't always immediately obvious.